By David Manek, Ruby Hinds, Amber Gosney

October 3, 2018

Sustainable privacy programs are not reactive in nature. Rather, they are built on frameworks that can be applied to emerging privacy regulations with minimal change. As individual countries and states introduce their own new privacy regulations, we need to identify the overlap among the regulations, so we can maintain costs and efficiencies in implementing privacy programs. In this white paper, Ankura describes steps to harmonize the General Data Protection Regulation and the California Consumer Privacy Act in an effort to build a long-term and sustainable privacy program, while maximizing efficiency.

General Data Protection Regulation

The General Data Protection Regulation (GDPR)[1] went into effect on May 25, 2018. The GDPR forced many organizations to build privacy programs for the first time and includes many new elements, especially for U.S.-based organizations, related to the rights of the data subjects. For example, under certain circumstances a prospect, customer, or employee can request that the organization give access to or erase the personal data it holds on that individual. These new regulatory requirements often necessitate complex technical and organizational solutions.

As of writing this paper, we have helped over 35 organizations reach a state of readiness with the GDPR. We have worked on many of the technical elements of GDPR readiness, including creating data inventories, conducting privacy impact assessments, and reviewing information security practices. In addition, our professionals serve as third-party Data Protection Officers for our clients.

California Consumer Privacy Act

The recently adopted California Consumer Privacy Act 2018 (CCPA)[2] is expected to be enforceable as of Jan. 1, 2020. The CCPA shows a significant increase in the control that individuals have over their personal information. This includes what personal information is processed, as well as with whom it is shared.

Businesses to which the CCPA applies include corporate entities that collect California consumer personal information and that satisfy one or more of the following criteria: (a) annual gross revenue in excess of $25 million; (b) annually buy, sell, or share personal information of 50,000 or more consumers, households, or devices; or (c) derive 50% or more of their annual revenues from selling consumers’ personal information.

The CCPA has many principles and requirements shared with the GDPR. Fundamentally, the CCPA affords individuals far greater control of their personal information than previous regulations, provides a mechanism for filing complaints, and places heavy fines on organizations for noncompliance. The CCPA will apply to any entity that provides services to California residents, no matter where the entity is physically located. Hence, the CCPA has an expansive geographic reach, similar to the international impact of the GDPR’s far-reaching privacy protections. For both legal instruments, any organization providing services to California and European residents, no matter where the organization is located, will most likely need to comply with the legislations.

The CCPA requires that organizations disclose what categories of personal information a business collects about them, their devices, their households, and their children, gives people the right to know if an organization has sold their personal information, and the right to opt out from having their data sold to third parties. The “Do Not Sell My Data” option will become a new instrument to which many companies will need to implement to fulfil requirements under the CCPA. This will include both technical and organizational measures to fulfill this request for California residents to opt-out of the sale of their personal information.

In addition, the CCPA is explicit in including “inferences” derived from personal data in the definition of personal information, similar to the GDPR’s “personal aspects”. The CCPA defines inferences as “drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” It is important to enhance an organization’s personal data inventory in order to capture instances of the use of inferences.

In relation to fines and sanctions, both the GDPR and CCPA carry substantial penalties for noncompliance. Fines under the GDPR could reach up to 4% of the prior year’s global revenues, whereas the CCPA provides for a penalty of $2,500 to $7,500 per violation, depending on intent of processing from which the violation was derived. In either scenario of violating the GDPR or the CCPA, consequences for mishandling personal information can prove costly.

It is important to note that while there is substantial overlap between the GDPR and the CCPA, being compliant with the GDPR does not assure compliance with the CCPA and vice versa. Each legislation carries several unique elements that require dedicated attention. Therefore, it is wise to formulate a privacy program from the outset that takes into consideration relevant privacy legislation.

In our efforts to harmonize our privacy frameworks, the next step is to enhance our existing GDPR-centric framework to capitalize on overlap, but also ensure we provide supplementary compliance requirements for the CCPA. As the leader of a privacy program, you want to be positioned to convey to your stakeholders that the privacy program you are executing meets the requirements of GDPR, CCPA, and all other potentially relevant regulations.

When implementing new technical and operational measures aimed at attaining privacy compliance, it is advantageous to work concurrently on both the GDPR and the CCPA legislations.

Summarized in Table 1 are sample requirements set forth in the GDPR and CCPA:

Requirements

General Data Protection Regulation

California Consumer Privacy Act

Transparent Data Privacy Notices

x

x

Registrar of Processing Activities

x

Data Protection Impact Assessments

x

Technical Security Measures

x

x

Breach Notification Protocol

x

x

Right to Access

x

x

Right to Erasure

x

x

Right to Opt-Out

x

x

Data Protection Agreements with Vendors

x

Right to Know to What Third-Party Data is Shared or Sold

x

Right to Opt-Out of Sale of Data to Third Parties

x

Legal Data Transfer Mechanisms

x

Substantial Fines for Noncompliance

x

x

Transparent Data Privacy Policy: Both the GDPR and CCPA require all privacy notifications to be in clear and concise language.

Right to Access: Individuals under both the GDPR and CCPA have the right to access the personal information being processed by companies. Under the CCPA, individuals have the right to ask what personal information is shared with third parties, with whom, and for what purpose. The GDPR mandates a reply to individuals within 30 days, while the CCPA requires communication within 45 days.

Right to Erasure: Individuals under both the GDPR and CCPA have the right to request deletion of their personal information with exceptions. Under the CCPA, individuals have the right to request that third parties with whom their data is shared is also deleted. It would be necessary under the GDPR for organizations to ensure that all data processors also delete personal data upon request.

Right to Opt-Out or Object to Processing: Individuals under both the GDPR and CCPA have the right to object to the processing of their data. Both legislations mandate that the same quality of services should be offered to individuals who request to opt out of data sharing, prohibiting lesser quality of service rendered despite the opt-out request.

Registrar of Processing Activities: Both the GDPR and CCPA require companies to maintain records of processing. However, these vary slightly. It is necessary to maintain an up-to-date personal data inventory that complies with Article 30 of the GDPR. There is not an explicit requirement in the CCPA to maintain a data inventory; however, from an operational perspective, it would be very difficult for an organization to respond to a data-access request under the CCPA without first knowing what personal data is collected and where and how such data is maintained.

Data Protection Impact Assessments: The GDPR requires that Data Controllers assess the impact of processing operations on the protection of personal data where the processing is likely to result in a high risk for the rights and freedoms of data subjects in Article 35. Such analysis is executed through the completion of data protection impact assessments. As of writing this article, the CCPA does not require data protection impact assessments.

Technical Security Measures: Both the GDPR and CCPA require attention to security of personal data, as fines for data breaches are costly under both regimes. Under the GDPR, a fine for a data breach could reach 2% of the prior year’s global revenue. Under the CCPA, any consumer whose nonencrypted or nonredacted personal information is subject to a data breach as a result of the organization not maintaining reasonable security practices, may incur damages between $100 and $750 per incident.

Breach Notification Protocol: The GDPR requires organizations to notify supervisory authorities in the event of a data breach that poses a “risk of harm” to individuals under Article 33. The notification is expected without undue delay and within 72 hours. The CCPA allows for organizations to notify the California Attorney General of data breaches within 30 days of knowledge of breach, to which time the Attorney General has 30 days to act upon this information.

Data Protection Agreements with Vendors: The GDPR creates an obligation on Data Controllers to only outsource processing activities to organizations that have in place sufficient measures to guarantee GDPR compliance and to have a contract in place that governs the vendor relationship under Article 28. The CCPA does not yet match these requirements explicitly, albeit in practice, such contracting practices should now be standard.

Legal Data Transfer Mechanism: The GDPR focus on applying appropriate safeguards in the context of international data transfers in Articles 45, 46, and 49. Article 46 specifically notes the Data Controller or processor may transfer personal data to a third country, provided there are appropriate safeguards in place The CCPA does not specifically focus on international data transfers.

Implementing the GDPR and CCPA Requirements

In summary, key requirements to be implemented technically and organizationally under both the GDPR and CCPA legislation will include:

Developing channels for individuals to make personal data requests, (and specifically under the CCPA a toll-free telephone number required for individuals to make contact).

Respond to individuals’ queries concerning their personal data (within 30 days for the GDPR and within 45 days for the CCPA).

Verify the identity and authorization of persons who make requests for their personal data.

Increased attention to data and information system security, as fines under both legislations will prove costly.

Additional requirements under the CCPA (and not specified in the GDPR) will include:

Conducting a detailed mapping of profiling activities from which personal information “inferences” can be derived and utilized.

Providing a “Do Not Sell My Personal Information” button on websites — and all operational and procedural measures needed thereafter.

Ensuring that those individuals who opted out of services are not contacted for 12 months regarding offering of those services.

Subject to certain potential extensions, under the CCPA, organizations must respond to consumers’ requests within 45 days. The responses must cover the 12-month period prior to the consumer’s request and include the required information in a transferrable format if provided electronically. That being said, organizations should be prepared operationally by Dec. 31, 2019 (the day before CCPA takes effect on Jan. 1, 2020) to practically respond to consumer requests, which requires tracking the collection of personal information, as well as tracking the sources of information and any third parties that have received the information.

Finding harmony and overlap among privacy regulations is a key to staying current, compliant, and controlling costs. We have executed framework alignment exercises using the GDPR, New York State Department of Financial Security, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and others.

Contributing author Erin Anzelmo

Please contact us to learn more about how we are building holistic privacy solutions that take into consideration existing and emerging regulations.